Fraud prevention tools

Fraud prevention

For businesses, fraud prevention and detection can be understood as the anticipation and uncovering followed by adequate reaction to fraudulent activities (fraud, embezzlement, through actions of employees related asset losses). In other words, fraud prevention develops solutions that prevent existing and imminent risks of fraud, misappropriation or assets loss.

The aim is to minimize the probability of such cases as well as the resulting consequential damage by means of preventive action. In e-commerce, real-time solution might be necessary, eliminating the threat before any damage has been done. Finding the right combination of tools to automatically screen fraud is essential to a good fraud prevention strategy.

Standard, Compliance and technology

The credit card industry needs to adhere to strict regulations and standards. These are essential components to minimize fraud, hold merchants accountable, keep customers safe and feeling safe, all while assuring that card networks maintain a good reputation.

Card Industry Security Standards Council (PCI SSC)

As its name suggests, the Card Industry Security Standards Council establish security standards for the card industry. The standards for the PCI DSS were developed and published by this council which is formed by all leading credit card businesses such as MasterCard, Visa, American Express and JCB. These standards apply to all participating partners in the payment process.

The PCI standards have a central role in fraud prevention as they hold all organization responsible and ensure a strong encryption of sensitive payment data. This is elaborated through six major objectives.

1. Networks must be secured through robust firewalls and allowing customers to conveniently and frequently change their payment data.
2. Cardholder information must be protected by digital encryption.
3. Systems must be protected by anti-virus software, anti-spyware programs and anti-malware solutions, which must be kept up to date.
4. Access to system information and operation must be restricted and controlled physically and electronically, notably through the use of unique and confidential identifications for employees and document shredders or locks and chains on dumpsters.
5. Monitoring and testing of the networks’ security features must be continuously undertaken.
6. A formal information security policy must be defined, maintained and followed at all time and by all participating entities.

Furthermore, the provision of non-compliance fines, ranging from $5,000 to $500,000, reinforce the obligation to adhere to these standards.

PCI compliance process

Retailers are required to regularly prove that they are compliant with PCI standards. Depending on their level of compliance, retailers must fulfill certain standards and prove their conformity yearly.

Relevant PCI Certification information for businesses

The PCI standards according to credit card organizations must be observed by all businesses who accept, process, save and forward the credit card information of customers. Credit card information is independent of processing time, and includes information such as the card number and date of expiration.

For further information on PCI compliance, see our guide on Payment Card Industry Data Security Standard.

Payment Services Directive

Payment Services Directive, administered by the European Commission, is designed to regulate payment services and payment service providers in the European Union and European Economic Area. This EU Directive is aimed at improving the security of online payment services, open the online payment landscape to new innovative solutions and minimize online fraud. Its revised version (PSD2) entered into force in January 2016, one year before its rules apply.

Strong customer authentication

Mandated by the PSD2, strong customer authentication (SCA) implies the use of two or more independent authentication elements. Should one element be compromised, the other authentication element would still be reliable. These elements can be knowledge based, such as a PIN, possession-based, passport for example, and inherence-based, e.g. fingerprints. While giving the customer an active role in the authentication procedure reinforce his protection, it also takes the customer’s focus away from the transaction, therefore risking to lower the conversion rate.

Validation services

Aimed a verifying the buyer’s identity, validation tools are a vital security feature for merchants. The best known and most used validation tools are address validation and card verification number.

Address verification

The system checks whether the address is correct. For this purpose, an address database is activated in order to verify the existence of the address. These databases are not country-dependent. Credit card providers can check the address provided with the registered address. If, for example, the customer specifies a German delivery address, with an IP originating from another country, this can already be a sign of fraud. Also, the client's IP may have been obscured by an anonymization service.

Card verification number

Also known as card verification value (CVV or CVN), the three- or four-digit security code printed on the back of credit cards, is a security feature for “card not present” transactions. It was instituted to help reduce the incidence of credit card fraud. Asking customers to enter their CVV at checkout is an extra step towards verifying the ownership of the card.

3D Secure

A common first step in ecommerce fraud prevention is the 3D-Secure method. The identity of the card owner is then being verified before the purchase is authorized. During the payment process, the online shop sends a request to the card issuing bank. This in turn opens an input window in the browser and the customer must enter his personal security code, also known as SecureCode. If the confirmation of the authentication check is successful, the order proceed is confirmed. However, if it fails, the payment process is terminated immediately, and the transaction is cancelled. For further information on the subject, read our guide on payment process of the credit card.

Authentication and identity control

Commercial database providers can be asked to verify if the customer is really living at the address stated. In addition, most European countries’ personal identifications card feature an e-ID function, allowing the user to confirm their identity. However, it must be mentioned here that this method must be manually enabled by the cardholder.

Others

Address verification service (AVS) and card verification number (CVN or CVV) are the two most popular fraud detection tools, both of them being adopted respectively by 88% an 82% of North American online merchants in 2017. However, many other validation tools are available. Alternatives to AVS include postal address validation services or Google Maps lookup. Additionally, merchants may choose to verify the customer’s telephone number (also known as reverse lookup). Other validation tools include, among others, social networking sites, credit history check, paid-for-public records services, two-factor phone authentication and biometric indicators.

Other fraud prevention services

Proprietary customer and multi-merchant data history

A customer history can be looked at as company specific, the data collected from one merchant, or as multi-merchant. The most common proprietary customer data history tool is the customer order history. If a customer is already on a merchant’s database, they can quickly verify whether the previous order was problematic. Other proprietary customer data history tools include order velocity monitoring, fraud scoring model (company specific), customer website behavior analysis, positive lists.

On the other hand, multi-merchant data focuses on shared information, for example the negative lists, also known as in-house lists. These lists might indicate suspicious computer devices or fraudulent clients. Another shared database tool collects multi-merchant purchase velocity information. These shared methods are relatively uncommon, both being implemented by less than 30% of North American online merchants in 2017.

Purchase device tracking

Finally, fraud prevention measures can track the purchase device to identify a potential threat.

Certain geographic regional fraud trends have been observed. Locating a customer, independently from the shipping address entered, helps determine whether he is in a high-risk region. Those regions are not limited to countries, but rather smaller areas. In 2017, over half of North American online merchants used IP geolocation information in their fraud prevention strategy.

Device “fingerprinting” remotely collects information about the buyer through the purchase device used. This can effectively help detect and prevent fraud by identifying devices previously used to commit fraud but also by determining the likelihood of a customer committing fraud, based on their signal profile.

Fraud analyst & manager

While advanced technologies are required for an optimal fraud detection and prevention strategy, human intelligence and expert analysis are equally crucial. Fraud solutions need to be tailored, implemented, monitored and adjusted by fraud experts.

E-commerce fraud analyst or investigator

Either as employee or through a contracted specialized company, a fraud analyst investigates forgery and theft within customers' accounts and transactions. They track and monitor the transactions and the customers' accounts activity. Experienced analysts can create fraud management strategies, aiding business growth and new revenue streams. Fraud analyst and fraud manager can also better the fraud prevention strategies already in place by adapting them to the changing trends and customer behaviors through a continuous proactive data analysis.